Educause Security Discussion mailing list archives
Re: Marketscore and Higher Ed
From: Mark Poepping <poepping () CMU EDU>
Date: Thu, 23 Dec 2004 15:13:55 -0500
Following on to the Marketscore thread from the last couple of months, the Internet2 SALSA Advisory group has prepared the following commentary that we hope helps to inform the topic as we continue to discuss the issues... --- There are many plug-ins, systems, and services that insert the ability to analyze, record, or modify data between clients and servers. Many of these are intentionally malicious in nature (e.g. spyware), but others are created by legitimate organizations for stated business purposes. Examples in this latter category include: * Anonymizer - A service that offers malware protection and web surfing anonymity. * Marketscore - A service that promises faster web page download and virus protection in exchange for authority to gather market research data. While we may argue about specific intent or technique, the consensual nature of these applications generally excludes them from our classifying them as 'spyware'. However, the use of these applications may expose health, financial, or other protected or personal information to third parties in violation of the security policy of a campus, user, or other external service. Institutions that wish to reduce the likelihood of these types of violations should consider some or all of the following techniques as they assess their own risk-mitigation efforts: * Host-based Detection - All users should use software that provides vigilance for disclosure of data to third parties, particularly if it's outside the scope of consensual services. Detecting and preventing these applications is often beyond the scope of traditional anti-virus packages and may require installation of additional software. * Stateless Network-based Remediation - Redirecting DNS queries, or blocking packets at the firewall based on IP address or TCP/UDP port numbers believed associated with these services may offer immediate relief for large user populations, but may also block legitimate resources or require continual parameter adjustments as the provider adapts. * Stateful Network-based Remediation - Stateful firewalling, and signature-based Intrusion Detection and Prevention Systems can also quickly protect large numbers of clients with fewer side effects, but may not scale to very high speeds and many will be ineffective if the traffic is encrypted. * Education and Policy - Campus computer users must be informed about the implications of using these third party services, preferably incorporated into the security training materials provided by groups like EDUCAUSE. Institutions must also consider policies that restrict access to networked campus resources and/or impose higher costs on persons who opt in to these types of services. Our concern remains high that this class of product may violate user, campus, or third party security policies. We encourage an open dialogue between vendors and academic representatives - possibly within the Security Task Force to address these issues in an effort to continue to promote good privacy and security practices. Finally, looking ahead, we would like to consider other approaches that might help us to address these issues, for example: - more granular plug-in capabilities or better sandbox control - local feedback on traffic activity - better services for policy definition, assessment, and enforcement We are certainly interested to learn more about and discuss possibilities in these (or other) areas, and will work to facilitate some discussion in these directions. Mark Poepping for SALSA http://security.internet2.edu/salsa ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Marketscore and Higher Ed Steve Brukbacher (Dec 22)
- <Possible follow-ups>
- Re: Marketscore and Higher Ed Joel Rosenblatt (Dec 22)
- Re: Marketscore and Higher Ed Mike Iglesias (Dec 22)
- Re: Marketscore and Higher Ed James H Moore (Dec 22)
- Re: Marketscore and Higher Ed Jere Retzer (Dec 22)
- Re: Marketscore and Higher Ed Jeff Kell (Dec 23)
- Re: Marketscore and Higher Ed Gary Dobbins (Dec 23)
- Re: Marketscore and Higher Ed Joel Rosenblatt (Dec 23)
- Re: Marketscore and Higher Ed Joe St Sauver (Dec 23)
- Re: Marketscore and Higher Ed Mark Poepping (Dec 23)
- Re: Marketscore and Higher Ed David L. Wasley (Dec 23)